ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
MFA • Entra ID • Legacy Authentication

The MFA Was On… Just Not Everywhere

A practical reminder that MFA only protects what it actually covers. When legacy authentication, exclusions or forgotten service accounts remain in scope, attackers look for those open paths first.

Discuss your environment Back to briefings
Agent Foskett MFA gaps briefing
Briefing summary

The client was not wrong — MFA existed. But it was not consistently enforced everywhere it needed to be.

Legacy auth still active
Exclusions still in place
Password spray activity seen

What happened

Coverage gaps matter more than intention.
MFA was presentOn paper, the tenant had MFA enabled and appeared to be in a stronger state than many others.
The missing coverageLegacy authentication was still enabled, some temporary exclusions remained, and service accounts had never been properly documented or protected.
Lesson learnedMFA is only effective where it is actually enforced. Attackers do not look for the locked doors — they look for the one that was forgotten.
Not sure MFA is really enforced everywhere?
GEMXIT helps review Entra ID, legacy authentication and Conditional Access coverage to close practical gaps.
Contact GEMXIT
ACSC Logo  GEMXIT PTY LTD   GEMXIT UK LTD   © GEMXIT 2026

Agent Foskett The MFA Was On Just Not Everywhere

This Agent Foskett cyber briefing covers MFA gaps, legacy authentication, service account exposure and password spray risk in Microsoft Entra ID environments.

It focuses on the difference between MFA being present and MFA being fully enforced.